Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.6
Craft CMS 5.8.21 Allows Unauthorized Access to Server
CVE-2026-28695
GHSA-94rc-cqvm-m4pw
Summary
Craft CMS has a security flaw that lets authenticated administrators run malicious code on the server. This can cause serious problems, including full server compromise. To stay secure, update Craft CMS to the latest version or set 'allowAdminChanges' to false in production settings.
What to do
- Update craftcms cms to version 5.9.0-beta.1.
- Update craftcms cms to version 4.17.0-beta.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 5.8.7 , <= 5.9.0-beta.1 | 5.9.0-beta.1 |
| craftcms | cms | > 4.0.0-RC1 , <= 4.17.0-beta.1 | 4.17.0-beta.1 |
| craftcms | craft_cms | > 4.0.0 , <= 4.17.0 | – |
| craftcms | craft_cms | > 5.0.0 , <= 5.9.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
Original title
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Original description
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
## Required Permissions
- Administrator permissions or access to System Messages utility
- `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility
## Vulnerability Details
The `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled `symfony/process` dependency, this enables RCE.
## Attack Vector
Admin panel → Settings → Entry Types → Title Format field
## Proof of Concept Payload
```
{% set p = create("Symfony\\Component\\Process\\Process", [["id"]])
%}{{ p.mustRun.getOutput }}
```
## Steps to Reproduce
1. Log in as admin
2. Navigate to Settings → Entry Types
3. Edit any entry type’s "Title Format" field
4. Insert the payload above
5. Create/edit an entry of that type
6. Command executes, output appears in entry title
## Impact
- Authenticated Remote Code Execution
- Runs as web server user (root in default Docker setup)
- Full server compromise
## Root Cause
Craft::createObject() allows the instantiation of any class, including
`Symfony\Component\Process\Process`, which executes shell commands.
## Suggested Fix
- Blocklist dangerous classes in createObject() when called from Twig
- Or remove/restrict the create() Twig function
- Or validate class names against an allowlist
## Resources
https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
## Required Permissions
- Administrator permissions or access to System Messages utility
- `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility
## Vulnerability Details
The `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled `symfony/process` dependency, this enables RCE.
## Attack Vector
Admin panel → Settings → Entry Types → Title Format field
## Proof of Concept Payload
```
{% set p = create("Symfony\\Component\\Process\\Process", [["id"]])
%}{{ p.mustRun.getOutput }}
```
## Steps to Reproduce
1. Log in as admin
2. Navigate to Settings → Entry Types
3. Edit any entry type’s "Title Format" field
4. Insert the payload above
5. Create/edit an entry of that type
6. Command executes, output appears in entry title
## Impact
- Authenticated Remote Code Execution
- Runs as web server user (root in default Docker setup)
- Full server compromise
## Root Cause
Craft::createObject() allows the instantiation of any class, including
`Symfony\Component\Process\Process`, which executes shell commands.
## Suggested Fix
- Blocklist dangerous classes in createObject() when called from Twig
- Or remove/restrict the create() Twig function
- Or validate class names against an allowlist
## Resources
https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0
nvd CVSS3.1
7.2
nvd CVSS4.0
7.5
Vulnerability type
CWE-1336
CWE-22
Path Traversal
CWE-94
Code Injection
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026